In a presentation at this week’s RSA security conference in San Francisco, researchers from Kaspersky Labs revealed more bad news for the Internet of drivable things—connected cars. Malware researchers Victor Chebyshev and Mikhail Kuzin examined seven Android apps for connected vehicles and found that the apps were ripe for malicious exploitation. Six of the applications had unencrypted user credentials, and all of them had little in the way of protection against reverse-engineering or the insertion of malware into apps.

The security vulnerabilities of connected cars have been a hot topic at security conferences for the past few years—particularly after researchers Charlie Miller and Chris Valasek demonstrated that they could control many of the functions of a Jeep Grand Cherokee (including its brakes and steering) remotely through the vehicle’s built-in cellular data connection. There have also been repeated demonstrations of vulnerabilities in how the mobile applications from various connected vehicle services connect to vehicles, such as Sammy Kamkar’s demonstration of intercepting data from the mobile app for GM’s OnStar.

The vulnerabilities looked at by the Kaspersky researchers focused not on vehicle communication, but on the Android apps associated with the services and the potential for their credentials to be hijacked by malware if a car owner’s smartphone is compromised. Chebyshev and Kuzin wrote:

Theoretically, after stealing credentials, an evildoer will be able to gain control of the car, but this does not mean that the criminal is capable of simply driving off with it. The thing is, a key is needed for a car in order for it to start moving. Therefore, after accessing the inside of a car, car thieves use a programming unit to write a new key into the car’s on-board system. Now, let us recall that almost all of the described apps allow for the doors to be unlocked, that is, deactivation of the car’s alarm system. Thus, an evildoer can covertly and quickly perform all of the actions in order to steal a car without breaking or drilling anything.

All seven of the applications allowed the user to remotely unlock their vehicle; six made remote engine start possible (though whether it’s possible for someone to drive off with the vehicle without having a key or RFID-equipped key fob present is unclear). Two of the seven apps used unencrypted user logins and passwords, making theft of credentials much easier. And none of the applications performed any sort of integrity check or detection of root permissions to the app’s data and events—making it much easier for someone to create an “evil” version of the app to provide an avenue for attack.

While malware versions of these apps would require getting a car owner to install them on their device in order to succeed, Chebyshev and Kuzin suggested that would be possible through a spear-phishing attack warning the owner of a need to do an emergency app update. Other malware might also be able to perform the installation.
While no such malware has yet been reported, the researchers noted,

Contemporary Trojans are quite flexible: if one of these Trojans shows a persistent ad today (which cannot be removed by the user himself), then tomorrow it can upload a configuration file from a car app to a command-and-control server at the request of criminals. The Trojan could also delete the configuration file and override it with a modified one.